[Update] 更改查看认证需要的MFA时间间隔

apps/assets/api/asset_user.py

@@ -10,7 +10,7 @@ from rest_framework import filters
 from rest_framework_bulk import BulkModelViewSet
 from django.shortcuts import get_object_or_404
 
-from common.permissions import IsOrgAdminOrAppUser
+from common.permissions import IsOrgAdminOrAppUser, NeedMFAVerify
 from common.utils import get_object_or_none, get_logger
 from common.mixins import IDInCacheFilterMixin
 from ..backends import AssetUserManager
@@ -57,7 +57,7 @@ class AssetUserSearchBackend(filters.BaseFilterBackend):
 class AssetUserViewSet(IDInCacheFilterMixin, BulkModelViewSet):
     pagination_class = LimitOffsetPagination
     serializer_class = serializers.AssetUserSerializer
-    permission_classes = (IsOrgAdminOrAppUser, )
+    permission_classes = [IsOrgAdminOrAppUser]
     http_method_names = ['get', 'post']
     filter_fields = [
         "id", "ip", "hostname", "username", "asset_id", "node_id",
@@ -111,22 +111,16 @@ class AssetUserExportViewSet(AssetUserViewSet):
     serializer_class = serializers.AssetUserExportSerializer
     http_method_names = ['get']
 
-    def list(self, request, *args, **kwargs):
-        otp_last_verify = request.session.get("OTP_LAST_VERIFY_TIME")
-        if not otp_last_verify or time.time() - int(otp_last_verify) > 600:
-            return Response({"error": "Need MFA confirm mfa auth"}, status=403)
-        return super().list(request, *args, **kwargs)
+    def get_permissions(self):
+        self.permission_classes.append(NeedMFAVerify)
+        return super().get_permissions()
 
 
 class AssetUserAuthInfoApi(generics.RetrieveAPIView):
     serializer_class = serializers.AssetUserAuthInfoSerializer
-    permission_classes = (IsOrgAdminOrAppUser,)
+    permission_classes = [IsOrgAdminOrAppUser, NeedMFAVerify]
 
     def retrieve(self, request, *args, **kwargs):
-        otp_last_verify = request.session.get("OTP_LAST_VERIFY_TIME")
-        if not otp_last_verify or time.time() - int(otp_last_verify) > 600:
-            return Response({"error": "Need MFA confirm mfa auth"}, status=403)
-
         instance = self.get_object()
         serializer = self.get_serializer(instance)
         status_code = status.HTTP_200_OK

apps/assets/templates/assets/_asset_user_list.html

@@ -32,8 +32,9 @@ var assetUserListUrl = "{% url "api-assets:asset-user-list" %}";
 var assetUserTable;
 var needPush = false;
 var prefer = null;
-var lastMFATime = "{{ request.session.OTP_LAST_VERIFY_TIME }}";
+var lastMFATime = "{{ request.session.MFA_VERIFY_TIME }}";
 var testDatetime = "{% trans 'Test datetime: ' %}";
+var mfaVerifyTTL = "{{ SECURITY_MFA_VERIFY_TTL }}";
 
 function initAssetUserTable() {
     var options = {
@@ -109,7 +110,7 @@ $(document).ready(function(){
     authUsername = $(this).data('user');
     var now = new Date();
     var nowTime = now.getTime() / 1000;
-    if ( !lastMFATime || nowTime - lastMFATime > 60*10 ) {
+    if ( !lastMFATime || nowTime - lastMFATime > mfaVerifyTTL ) {
         mfaFor = "viewAuth";
         $("#mfa_auth_confirm").modal("show");
     } else {

apps/authentication/api/auth.py

@@ -194,7 +194,7 @@ class UserOtpVerifyApi(CreateAPIView):
         code = serializer.validated_data["code"]
 
         if request.user.check_otp(code):
-            request.session["OTP_LAST_VERIFY_TIME"] = int(time.time())
+            request.session["MFA_VERIFY_TIME"] = int(time.time())
             return Response({"ok": "1"})
         else:
             return Response({"error": "Code not valid"}, status=400)

apps/common/permissions.py

@@ -132,3 +132,11 @@ class PermissionsMixin(UserPassesTestMixin):
             if not permission_class().has_permission(self.request, self):
                 return False
         return True
+
+
+class NeedMFAVerify(permissions.BasePermission):
+    def has_permission(self, request, view):
+        mfa_verify_time = request.session.get('MFA_VERIFY_TIME', 0)
+        if time.time() - mfa_verify_time < settings.SECURITY_MFA_VERIFY_TTL:
+            return True
+        return False

apps/jumpserver/conf.py

@@ -374,7 +374,7 @@ defaults = {
     'HTTP_LISTEN_PORT': 8080,
     'LOGIN_LOG_KEEP_DAYS': 90,
     'ASSETS_PERM_CACHE_TIME': 3600,
-
+    'SECURITY_MFA_VERIFY_TTL': 3600,
 }
 
 

apps/jumpserver/context_processor.py

@@ -17,6 +17,7 @@ def jumpserver_processor(request):
         'VERSION': settings.VERSION,
         'COPYRIGHT': 'FIT2CLOUD 飞致云' + ' © 2014-2019',
         'SECURITY_COMMAND_EXECUTION': settings.SECURITY_COMMAND_EXECUTION,
+        'SECURITY_MFA_VERIFY_TTL': settings.SECURITY_MFA_VERIFY_TTL,
     }
     return context
 

apps/jumpserver/settings.py

@@ -565,6 +565,7 @@ SECURITY_PASSWORD_RULES = [
     'SECURITY_PASSWORD_NUMBER',
     'SECURITY_PASSWORD_SPECIAL_CHAR'
 ]
+SECURITY_MFA_VERIFY_TTL = CONFIG.SECURITY_MFA_VERIFY_TTL
 
 TERMINAL_PASSWORD_AUTH = CONFIG.TERMINAL_PASSWORD_AUTH
 TERMINAL_PUBLIC_KEY_AUTH = CONFIG.TERMINAL_PUBLIC_KEY_AUTH